{"id":13995438,"url":"https://github.com/praezi/rust","last_synced_at":"2025-07-22T21:33:03.380Z","repository":{"id":41490339,"uuid":"158525190","full_name":"praezi/rust","owner":"praezi","description":"RustPräzi: Representing crates.io as a call-based dependency network","archived":false,"fork":false,"pushed_at":"2019-01-20T13:33:46.000Z","size":93,"stargazers_count":78,"open_issues_count":2,"forks_count":7,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-11-29T17:38:36.048Z","etag":null,"topics":["call-graph-analysis","crates-io","package-management","rust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/praezi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-11-21T09:42:57.000Z","updated_at":"2023-12-23T16:49:18.000Z","dependencies_parsed_at":"2022-08-28T19:19:28.867Z","dependency_job_id":null,"html_url":"https://github.com/praezi/rust","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/praezi/rust","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praezi%2Frust","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praezi%2Frust/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praezi%2Frust/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praezi%2Frust/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/praezi","download_url":"https://codeload.github.com/praezi/rust/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/praezi%2Frust/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266578638,"owners_count":23951148,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["call-graph-analysis","crates-io","package-management","rust"],"created_at":"2024-08-09T14:03:24.675Z","updated_at":"2025-07-22T21:33:03.123Z","avatar_url":"https://github.com/praezi.png","language":"Rust","funding_links":[],"categories":["Rust"],"sub_categories":[],"readme":"# RustPräzi ([rʌstpʁɛˈt͡siːz])\n\n[![Build Status](https://travis-ci.org/praezi/rust.svg?branch=master)](https://travis-ci.org/praezi/rust)\n[![LOC](https://tokei.rs/b1/github/praezi/rust)](https://github.com/praezi/rust)\n[![Join the chat at https://gitter.im/praezi/rust](https://badges.gitter.im/praezi/rust.svg)](https://gitter.im/praezi/rust?utm_source=badge\u0026utm_medium=badge\u0026utm_campaign=pr-badge\u0026utm_content=badge)\n\nConstructing call-based dependency networks of [crates.io](https://crates.io) as conceptually described in \n\n\u003e[Hejderup J, Beller M, Gousios G. Präzi: From Package-based to Precise Call-based Dependency Network Analyses. 2018.](https://pure.tudelft.nl/portal/files/46926997/main2.pdf)\n\n## TL;DR: What does RustPräzi do?\n\n### Description\n\nWith RustPräzi, we go from coarse-grained package-based dependency networks (such as what GitHub uses for their [vulnerable package detection](https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/)) to more fine-grained call-based dependency networks. These allow us to track, for example, whether a vulnerable function of a library is actually being used and whether a security warning really needs to be raised. This is much more precise than package-based dependency networks. In fact, RustPräzi makes such analyses a lot more precise (upto 3x).\n\n![Package-based (PDN, above) versus Call-based Dependency Networks (CDN, below)](doc/pdn_cdn.png \"Package-based (PDN, above) versus Call-based Dependency Networks (CDN, below)\")\n\n### Use cases\n\nRustPräzi opens the door to many new or more precise analyses:\n\n* Fine-grained security vulnerability propagation checking\n* Precise license compliance checking \n* Change impact and deprecation analysis (\"Which clients break if I as a library maintainer remove this deprecated method?\")\n* Health analyses of an entire ecosystem (\"What are the most central functions?\", \"Where should we focus our testing efforts?\", ...)\n* ... and more!\n\n## Getting started\n\n### Installation Prerequisites\n\n- The Rust toolchain with `rustup` (download at the [offical website](https://www.rust-lang.org/en-US/install.html))\n- Python 2.7 or 3.7\n- GNU Parallel\n- A pre-built binary of LLVM 4.0 (download at [official website](http://releases.llvm.org/download.html#4.0.0)). In the `config.ini` (root of the repository), specify the path to the uncompressed LLVM binary.\n- Recommended OS: Ubuntu 16.04.3 LTS\n\n### System Setup\n- :warning: Building crates can be dangerous as for some crates, this includes running the tests. Hence, it is advised to do it in a sandboxed environment.\n- 💻 We recommend running it on a very powerful system. Compiling 80k+ crates is no easy feat.\n\n\n### 1. Create a `conf.ini` file at the root of the project with the following content\n\n```ini\nencoding=utf-8\n\n[llvm]\n # specify the path to the untared LLVM binary folder.\n path=/path_where/clang+llvm-4.0.0-[your_platform]\n\n[compiler]\n stable=1.23.0\n nightly=1.24.0\n\n[storage]\n # all data will be stored in this folder\n path=/where/you/want/to/store/prazi/data\n```\n\nSince the bitcode generation changed in newer versions of Rust, we advise to stick to the compiler versions specified above.\n\n\n\n### 2. Constructing call graphs of crates\n\n1. Compile the tool\n\n``` bash\ncargo build --bin prazi --release\n```\n2. Download crates, the downloader will fetch the latest [index](https://github.com/rust-lang/crates.io-index) data, build a list of releases and then download/untar them\n\n```\n./target/release/prazi downloader\n```\n3. Rewriting manifests, the manifest rewriter will fix invalid `Cargo.toml` files (e.g., specifying a non-existent local dependency) by emulating a dry-run of `cargo publish`\n\n``` bash \n./target/release/prazi rewriter\n```\n\n4. Building crates, it will first attempt to build all downloaded crates using a stable version of the compiler (as specified in `conf.ini`). To use a nightly version for failing builds, prepend the flag `--nightly`\n\n``` bash\n./target/release/prazi build-crates\n```\n\n5. Building LLVM call graphs\n\n``` bash\n./target/release/prazi build-callgraphs\n```\n\n### 2. Construct RustPräzi\n\n1. Install `rustfilt` for demangling of Rust symbols\n\n```bash\ncargo install rustfilt\n```\n2. Run graph generator script\n\n```\n./create_prazi_graph.sh 2\u003e err.log 1\u003e out.log\n```\nTwo graphs are generated:\n- `../cdn/graphs/callgraph.ufi.merged.graph` -- the call-based dependency network (CDN)\n- `../cdn/graphs/crate.dependency.callgraph.graph` -- the packaged-based dependency network derived from the CDN\n\n### 3. Graph analysis with RustPräzi\n\n\n\n\n\u003cdetails\u003e\n\n\u003csummary\u003e\nLoading Präzi with \u003ca href=\"https://networkx.github.io\"\u003eNetworkX\u003c/a\u003e\n\u003c/summary\u003e\n\n``` python\nimport networkx as nx\nimport re\n\nregex = r\"^(.*?) \\[label:\"\n\ndef load_prazi(file):\n PRAZI = nx.DiGraph()\n with open(file) as f: #callgraph.ufi.merged.graph\n for line in f:\n if \"-\u003e\" not in line:\n g = re.match(regex, line)\n if g:\n PRAZI.add_node(g.group(1).strip('\"'))\n else:\n print \"error, could not extract node: %s\" % line\n else:\n g = re.match('\\W*\"(.*)\" -\u003e \"(.*)\";', line)\n if g:\n PRAZI.add_edge(g.group(1), g.group(2))\n else:\n print \"error, could not extract edge: %s\" % line\n return PRAZI\n\ndef load_prazi_dep(file): \n PRAZI_DEP = nx.DiGraph()\n with open(file) as f: #crate.dependency.callgraph.graph\n for line in f:\n if \"io :: crates :: \" in line:\n if \"-\u003e\" not in line:\n PRAZI_DEP.add_node(line[:-2])\n else:\n g = re.match('\\W*\"(.*)\" -\u003e \"(.*)\";', line)\n if g and (\"io :: crates\" in g.group(1) and \"io :: crates\" in g.group(2)):\n PRAZI_DEP.add_edge(g.group(1), g.group(2))\n else:\n print \"skip edge: %s\" % line\n else:\n continue\n return PRAZI_DEP\n\n```\n\u003c/details\u003e\n\n# License\n\nThis project is licensed under either of\n\n * Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or\n http://www.apache.org/licenses/LICENSE-2.0)\n * MIT license ([LICENSE-MIT](LICENSE-MIT) or\n http://opensource.org/licenses/MIT)\n\nat your option.\n\n### Contribution\n\nUnless you explicitly state otherwise, any contribution intentionally submitted\nfor inclusion in RustPräzi by you, as defined in the Apache-2.0 license, shall be\ndual licensed as above, without any additional terms or conditions.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpraezi%2Frust","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpraezi%2Frust","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpraezi%2Frust/lists"}